# EMV 3-D Secure JavaScript API Integration for PSD2 SCA source: https://developer.mastercard.com/mastercard-gateway/documentation/security-and-fraud/authentication/psd2-sca-com-exem/3ds-js-int-psd2-sca/index.md This page describes the integration effort to support PSD2 SCA compliance and exemptions for an EMV 3-D Secure JavaScript API integration. Before you proceed to build your integration, it is recommended that you familiarize yourself with [PSD2 SCA Compliance and Exemptions](https://developer.mastercard.com/mastercard-gateway/documentation/security-and-fraud/authentication/3d-secure-auth/index.md#understanding-psd2-sca-compliance-and-exemptions). Warning: The EMV 3-D Secure JS integration guidelines for PSD2 SCA complement the [Authentication API](https://developer.mastercard.com/mastercard-gateway/documentation/security-and-fraud/authentication/psd2-sca-com-exem/gw-int-psd2-sca/index.md) integration guidelines and as such must be used with it. ## Supported exemptions {#supported-exemptions} The gateway currently has support for the following exemptions: * Low Risk * Low Value * Whitelisting * Recurring Payments * Secure Corporate Payments Warning: Support is provided for PSD2 SCA exemptions for Mastercard and Visa cards. ## Prerequisites {#prerequisites} To comply with PSD2 SCA requirements, you need to add [EMV 3-D Secure Authentication](https://developer.mastercard.com/mastercard-gateway/documentation/security-and-fraud/authentication/3d-secure-auth/index.md) to your gateway integration. To use the PSD2 SCA exemptions functionality through the gateway: * Your merchant profile on the gateway must be enabled and configured for the PSD2 exemptions you want to use by your payment service provider. * Do not configure any EMV 3-D Secure Transaction Filtering rules. * You must have an [EMV 3-D Secure JavaScript API](https://developer.mastercard.com/mastercard-gateway/documentation/security-and-fraud/authentication/3d-secure-auth/3ds-js-api/index.md) integration to the gateway for [3DS2](https://developer.mastercard.com/mastercard-gateway/documentation/security-and-fraud/authentication/3d-secure-auth/index.md). * Submit as much payer and transaction information as possible when [initiating the authentication](https://developer.mastercard.com/mastercard-gateway/documentation/security-and-fraud/authentication/3d-secure-auth/3ds-js-api/index.md#step-3-initiate-authentication). This raises the probability of an exemption being granted or applied by the issuer. ## Requesting payer authentication {#requesting-payer-authentication} You can submit the authentication request without claiming an exemption. In this case, you do not need to change your integration with the gateway's [EMV 3-D Secure JavaScript API](https://developer.mastercard.com/mastercard-gateway/documentation/security-and-fraud/authentication/3d-secure-auth/3ds-js-api/index.md). If PSD2 SCA applies to the transaction, the issuer will either present the payer with the EMV 3-D Secure challenge or apply an issuer exemption where the payer will experience a frictionless checkout flow. In both cases, the required authentication details are contained in the response, and you can proceed to the payment in the Standard way. ## Claiming an exemption when requesting payer authentication {#claiming-an-exemption-when-requesting-payer-authentication} If the [Initiate Authentication](https://developer.mastercard.com/mastercard-gateway/documentation/api-reference/js-libraries/three-ds/index.md) response indicates that EMV 3-D Secure is available for the card, that is, `data.authenticationVersion` with value 3DS2, you can claim an exemption when invoking the `authenticatePayer()` method. Add `authentication.psd2.exemption` field with one of the following values to the optionalParams request field. For more information, see [Step 4: Authenticate Payer](https://developer.mastercard.com/mastercard-gateway/documentation/security-and-fraud/authentication/3d-secure-auth/3ds-js-api/index.md#step-4-authenticate-payer). * LOW_RISK * LOW_VALUE_PAYMENT * SECURE_CORPORATE_PAYMENT If you are not enabled for the requested exemption, the request is processed as if you did not request an exemption. The issuer may: * grant the exemption that you have requested, * apply an issuer exemption, or * deny the exemption that you have requested and not apply for an issuer exemption. Warning: The request must contain the field `authentication.challengePreference=NO_CHALLENGE` You can claim an exemption for all the cases listed below: * 3DS2 is available for the card, that is, the [Initiate Authentication](https://developer.mastercard.com/mastercard-gateway/documentation/api-reference/js-libraries/three-ds/index.md) response returned `data.authenticationVersion` with value 3DS2. * If 3DS2 is available, the gateway requests the exemption during the authentication. * Your acquirer supports PSD2 exemptions. If the acquirer does not support exemptions, the gateway will automatically request the authentication without asking for an exemption. * The issuer supports PSD2 exemptions for authentications. If the issuer does not support PSD2 exemptions, the gateway bypasses the authentication and advise you to proceed to the payment. The gateway will automatically request the exemption when submitting the payment for processing to the acquirer. If you are not enabled for the requested exemption, the request is processed as if you did not request an exemption. The issuer may: * grant the exemption that you have requested, * apply an issuer exemption, or * deny the exemption that you have requested and not apply for an issuer exemption. Special handling is applied if your acquirer or the scheme does not support exemptions. | **Scenario** | **Description** | |----------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | **Issuer grants Acquirer exemption** | If the issuer grants the exemption that you have requested: * The payer will be presented with a frictionless checkout flow. * The response indicates that an acquirer exemption was granted (`transaction.authenticationStatus=AUTHENTICATION_EXEMPT`). * The response indicates that you may proceed with the payment (`data.gatewayRecommendation=PROCEED`). * The response contains the EMV 3-D Secure authentication details. * You can proceed with the payment. | | **Issuer applies Issuer exemption** | If the issuer applies an issuer exemption: * The payer will be presented with a frictionless checkout flow. * The response indicates that the authentication was successful (`transaction.authenticationStatus=AUTHENTICATION_SUCCESSFUL`). * The response indicates that you may proceed with the payment (`data.gatewayRecommendation=PROCEED`). * The response contains the EMV 3-D Secure authentication details. * You can proceed with the payment. | | Issuer does not grant or apply an exemption | If the issuer did not grant the exemption that you have requested and did not apply an issuer exemption: * The payer will be presented with the EMV 3-D Secure challenge flow. * The response indicates the outcome of the payer authentication in the `transaction.authenticationStatus` field. * If the authentication was successful (`transaction.authenticationStatus=AUTHENTICATION_SUCCESSFUL`) the response contains the EMV 3-D Secure authentication details. * The response indicates in the `data.gatewayRecommendation` field if the gateway recommends that you proceed with the payment. | | Acquirer does not have support for PSD2 exemptions | If the acquirer (that will subsequently be used to process the payment) does not have support for PSD2 exemptions, the gateway processes the authentication as if no exemption were requested. * The payer will be presented with the EMV 3-D Secure challenge flow. * The response indicates the outcome of the payer authentication in the `transaction.authenticationStatus` field. * If the authentication was successful (`transaction.authenticationStatus=AUTHENTICATION_SUCCESSFUL`) the response contains the EMV 3-D Secure authentication details. * The response indicates in the `data.gatewayRecommendation` field if the gateway recommends that you proceed with the payment. | | PSD2 exemptions is not supported for this scheme | Requesting exemptions when performing the authentication is currently only supported for Mastercard and Visa. * If the gateway does not have support to request PSD2 exemptions for a scheme, the gateway proceeds without performing EMV 3-D Secure. * The response indicates that an acquirer exemption is being requested (`transaction.authenticationStatus=AUTHENTICATION_EXEMPT`). * The response indicates that you may proceed with the payment (`data.gatewayRecommendation=PROCEED`). * You can proceed with the payment. The response will not contain any EMV 3-D Secure details (indicating that EMV 3-D Secure was not performed). When you proceed with the payment, the gateway will automatically request the exemption when submitting the payment for processing with the acquirer. | #### Proceeding with a payment {#proceeding-with-a-payment} If the response does not contain `data.gatewayRecommendation=PROCEED` we do not recommend that you proceed with the payment. Ask the payer for another set of payment details. If the [Authenticate Payer](https://developer.mastercard.com/mastercard-gateway/documentation/api-reference/js-libraries/three-ds/index.md) response indicates that you can proceed with the payment (`response.gatewayRecommendation=PROCEED`), proceed with the payment by submitting an Authorize or Pay request. For details, see [Implementing an EMV 3-D Secure Integration using the EMV 3-D Secure JavaScript API (Step 5)](https://developer.mastercard.com/mastercard-gateway/documentation/security-and-fraud/authentication/3d-secure-auth/3ds-js-api/index.md#step-5-use-the-authentication-in-a-payment). #### Fallback to 3DS1 {#fallback-to-3ds1} If the card does not support 3DS2, the gateway may fall back to 3DS1. In this case, where you have requested an exemption, the gateway behavior depends on the acquirer support for PSD2 exemption. See the table for details. | **Scenario** | **Description** | |--------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | **Acquirer has support for PSD2 exemptions** | The gateway proceeds without performing EMV 3-D Secure. * The response indicates that an acquirer exemption is being requested (`transaction.authenticationStatus=AUTHENTICATION_EXEMPT`). * The response indicates that you may proceed with the payment (`data.gatewayRecommendation=PROCEED`). * You can proceed with the payment. The response will not contain any EMV 3-D Secure details (indicating that EMV 3-D Secure was not performed). When you proceed with the payment, the gateway will automatically request the exemption when submitting the payment for processing with the acquirer. | | **Acquirer does not have support for PSD2 exemptions** | If the acquirer (that will subsequently be used to process the payment) does not have support for PSD2 exemptions, the gateway processes the authentication as if no exemption was requested. * The payer will be presented with the EMV 3-D Secure challenge flow. * The response indicates the outcome of the payer authentication in the `transaction.authenticationStatus` field. * If the authentication was successful (`transaction.authenticationStatus=AUTHENTICATION_SUCCESSFUL`) the response contains the EMV 3-D Secure authentication details. * The response indicates in the `data.gatewayRecommendation` field if the gateway recommends that you proceed with the payment. | ## Proceeding with a payment after a successful authentication {#proceeding-with-a-payment-after-a-successful-authentication} If you have successfully performed an authentication, that is, the [Authenticate Payer](https://developer.mastercard.com/mastercard-gateway/documentation/api-reference/js-libraries/three-ds/index.md) response contains `data.gatewayRecommendation=PROCEED`, proceed with the payment by submitting an [Authorize](https://developer.mastercard.com/mastercard-gateway/documentation/api-reference/v100/rest/api-ops/index.md#transaction) or [Pay](https://developer.mastercard.com/mastercard-gateway/documentation/api-reference/v100/rest/api-ops/index.md#transaction) request. For details, see [Implementing an EMV 3-D Secure Integration using the EMV 3-D Secure JavaScript API (Step 5)](https://developer.mastercard.com/mastercard-gateway/documentation/security-and-fraud/authentication/3d-secure-auth/3ds-js-api/index.md#step-5-use-the-authentication-in-a-payment). The gateway will automatically add the EMV 3-D Secure authentication details to the transaction request submitted to the issuer. ## FAQs {#faqs} If you have an existing integration with the gateway using the gateway's legacy API for 3DS1, you need to upgrade to [EMV 3-D Secure Authentication](https://developer.mastercard.com/mastercard-gateway/documentation/security-and-fraud/authentication/3d-secure-auth/index.md) and then follow the integration steps described on this page. EMV 3-D Secure 1 is only considered compliant with the PSD2 SCA mandate if the issuer sends a one-time password to the payer's phone when authenticating the payer, not where the issuer assigns a static password to the payer. As not all issuers use one-time passwords, it is not recommended to rely on 3DS1 if you are required to comply with the PSD2 SCA mandate. You do not need to authenticate the payer for such an agreement again. The schemes have rules for the transition period. The gateway ignores the exemption contained in the session when the order has a payment that has been rejected by the issuer because it is not PSD2 SCA compliant. Hence, it is not required that you remove the exemption from the session before performing the EMV 3-D Secure authentication for the order and resubmit the payment. When searching for an **order** or **transaction** in Merchant Administration through the Order and Transaction Search, you can use the search term: * "Payer Authentication Status":"Authentication Successful" to find all successfully authenticated orders * "Payer Authentication Status":"Authentication Exempt" to find all orders where an exemption was requested or applied The authentication status of the order is displayed on the Order and Transaction Details page in Merchant Administration in the field "Payer Authentication Status" in the "Payer Authentication Details" section. The field has the value "Authentication Exempt" if an exemption has been requested or applied to the order. The authentication status of the transaction is displayed on the Order and Transaction Details page in Merchant Administration in the section "Transactions". Select "View" for the transaction that you want to view. The field 'Payer Authentication - Authentication Status' will have the value 'Authentication Exempt' if an exemption has been requested or applied to the transaction.